Engine live on the GitHub Marketplace

Dependency governance you don’t need a
platform team to run.

depproof audits your dependency licenses and supply-chain risk from open data — resolving the full Maven & Gradle tree with no build or lockfile, and running as a single container or GitHub Action. Self-hosted, host-agnostic, flat-priced.

Free for open source & teams under $1M revenue · Apache-licensed data · runs in your perimeter

.github/workflows/depproof.yml
- uses: depproof/depproof-action@v0
  with:
    path: .            # your Maven/Gradle project
    fail-on: copyleft  # or: unknown, vuln-high, none
    sbom: cyclonedx    # emit a CycloneDX SBOM artifact

# → self-contained HTML report + SBOM, published as build artifacts
# → full transitive tree, licenses resolved, policy enforced — no build required
Built for a mixed, real-world estate
MavenGradleGitHub ActionsGitLab CIDockerOSV.devCycloneDX

The gap

Every governance tool makes you choose something you shouldn’t have to.

Host-native tools (GitHub Code Security, GitLab Ultimate) only govern their own host — a GitHub + GitLab shop needs two of them, two dashboards, and the top-tier per-seat bill on both.

SaaS scanners want your code and findings in their cloud — a new subprocessor to vet and data leaving your perimeter, on a per-developer price that grows with your team.

Heavy self-hosted platforms can stay in-perimeter — but only if you staff a server, a database, HA, and Java expertise to keep them running.

JVM transitive resolution is caveated almost everywhere — needing a build, a lockfile, or dependency-submission just to see the tree accurately.

depproof is the combination none of them offer: lightweight, host-agnostic, self-hostable, flat-priced, open-data, with accurate JVM resolution — no build.


How it works

Point it at a repo. Get an audit you can act on.

Resolve

depproof reads your Maven/Gradle project and resolves the full transitive dependency tree with Aether — the same resolver the ecosystem trusts — without running your build.

Enrich & check

Each dependency is matched to its license and to advisory data from OSV.dev, then checked against your policy: allowed licenses, blocked copyleft, severity thresholds.

Report & gate

You get a self-contained HTML report and a CycloneDX SBOM as build artifacts — and a pass/fail gate so a bad license or CVE stops the PR, not the release.

🧭

Full transitive resolution

Resolves the complete Maven/Gradle dependency tree with Aether — no build, no lockfile, no dep-submission dance. The accurate graph everything else depends on.

⚖️

License audit & policy

Every dependency’s license, resolved and normalized, checked against a policy you define. Fail the build on a copyleft or unknown license before it ships.

🌐

Open data (OSV.dev)

Vulnerability and advisory data comes from OSV — open, auditable, portable. No proprietary database to lock you in or hold your findings hostage.

📦

CycloneDX SBOM

Emit a standards-compliant CycloneDX SBOM for every scan — the evidence artifact your compliance, procurement, and EO-14028 / EU-CRA obligations ask for.

🪶

One lightweight image

A single ~31MB container. No server to babysit, no database, no HA cluster, no Java platform team. Run it in CI or on a laptop the same way.

🔒

Self-hosted by default

Runs entirely inside your perimeter. Your code and your findings never leave it — nothing to send to a vendor cloud, no new subprocessor to vet.


Why depproof

The advantage is the combination — not any one box.

We don’t out-feature the incumbents on raw depth, and we say so. depproof wins when your estate doesn’t fit anyone else’s trade-offs.

One layer, every host

GitHub-native governance can’t see GitLab repos, and vice versa. depproof governs GitHub, GitLab, Bitbucket and any CI from a single layer — because it runs where you run it.

Priced to cover everything

Per-seat and per-committer pricing quietly pushes teams to under-scope coverage. depproof is flat — free under $1M revenue — so you can scan 100% of your repos, not just the ones you can afford.

Your data stays yours

Self-hosted and built on open data (OSV). No proprietary vulnerability DB, no vendor cloud holding your SBOMs. Switch hosts, switch CI, keep your governance.

No platform team required

The self-hostable heavyweight in this category needs a server, a database, HA and Java expertise to run. depproof is one image you already know how to operate.

How depproof compares

An honest, capability-by-capability view. ✅ shipping today · 🟡 on the roadmap · ⚪ not offered.

Capability Host-native
(GH / GitLab)
SaaS scanner Heavy self-hosted depproof
Governs GitHub and GitLab and CI ⚪ own host only
Runs fully in your perimeter ⚪ mostly cloud ⚪ SaaS
Light to operate (one image) n/a hosted n/a SaaS ⚪ server + DB + HA
JVM transitive tree, no build/lockfile 🟡 caveated ✅ runs build ✅ Aether, no build
Open, portable data (OSV) ⚪ proprietary ⚪ proprietary ⚪ proprietary
Pricing model per-committer per-developer per-application flat · free <$1M
Org-wide dashboard & blast radius 🟡 roadmap

Org-wide aggregation is table stakes across incumbents; depproof’s control plane is in active development. We’d rather tell you that than overclaim it. See the FAQ for the honest version.


depproof is for you if…

  • Your estate spans more than one code host or CI system.
  • You’re priced out of — or unwilling to pay — top-tier per-seat governance just to give security a dashboard.
  • Your code and findings can’t leave your perimeter.
  • You also can’t staff a heavy on-prem platform to keep them in it.
  • You’re JVM-heavy and tired of inaccurate transitive resolution.
  • You want open data and no lock-in to a host or proprietary DB.

You probably don’t need depproof if…

  • You’re all-in on one host and happy paying for its premium governance (GHAS, GitLab Ultimate).
  • You’ve standardized on Snyk or Nexus and are content with the cost and deployment.

We’re not a rip-and-replace for a happy single-vendor shop. We build for the gap those tools leave — and we’ll say so on a call.

Audit your first repo in five minutes.

Add the Action to a workflow, or pull the image and run it locally. Nothing to sign up for, nothing leaves your perimeter.